Iranian hackers were responsible for a disruptive computer breach in March that forced Los Angeles’ transit system to shut down parts of its network, Israeli researchers found earlier this week.
The saboteurs stole at least 700 gigabytes of emails, backups, and other files from the Los Angeles County Metropolitan Transportation Authority (LACMTA), according to Gambit Security, a Tel Aviv-based cybersecurity firm that said it discovered the misappropriated data after it was inadvertently exposed online.
In a report published on Tuesday, the company said a digital trail of evidence tied the server where the data was discovered to a previously known hacking operation that Israeli officials and researchers attributed to Tehran.
The Los Angeles transit authority didn’t respond to questions about the findings. In a statement shared last month, its officials said they were working with law enforcement and cyber specialists as they brought their systems back online. “Attribution is part of the investigation and we will not speculate,” the statement said.
The attack caused disruptions to digital services for passengers, including displaying arrival times and the ability to add money to digital cards. LACMTA then claimed that the transportation service itself was not affected and that no indication of harm to customers or employee data was found.
Gambit also noted that the attack on LACMTA’s systems did not consist solely of information theft. In some cases, the attackers also acted to destroy systems and impair the recovery capability of the affected organizations.
According to Gambit’s report, the attacker’s activity included deleting virtual machines, databases, and storage volumes, as well as damaging backup infrastructures – in other words, not just a breach to collect information, but an attempt to make it difficult for LACMTA to return to normal operations.
Notably, Los Angeles is one of the host cities for the FIFA 2026 World Cup, which begins on June 11.
Digital security specialists have suspected an Iranian hand in the operation against the LACMTA ever since an obscure pro-Iran outfit calling itself Ababil of Minab claimed responsibility. The group’s name refers to the bombing of a girls’ school in the Iranian city of Minab that officials there say killed more than 175 children and teachers, and its rhetoric and modus operandi are characteristic of self-styled vigilante hacker groups that US and Israeli researchers allege are cut-outs for Iranian spies.
The threat actor group claims to be an independent activist organization.
Eyal Sela, Gambit’s director of threat intelligence, said a connection between Ababil and the Iranian state “has been a working assumption.”
“What our research adds is the forensic evidence to support it,” he said.
Gambit, a security startup founded in part by veterans of Unit 8200, Israel’s equivalent of the US National Security Agency, said it had alerted relevant authorities to its findings.
Ababil did not return messages left via a form on its website. The FBI said it was aware of the LACMTA incident and was “coordinating with partners in response.” The FBI declined further comment.
The US civilian cyber defense body, the Cybersecurity and Infrastructure Security Agency, did not return messages seeking comment. Iran’s mission to the United Nations and Israel’s National Cyber Directorate also did not respond to Reuters’s request for comment.
Iranian-linked, backed hackers allegedly active since start of war
The intrusion at LACMTA was detected around March 16, its officials said in their statement. About two weeks later, Ababil materialized online and claimed to have wiped an enormous amount of data in a destructive cyberattack, publishing a video that purported to show them rampaging through the transit system’s network.
Ababil also has claimed credit for hacks affecting South Florida’s Tri-Rail commuter transit system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac.
In a statement, Tri-Rail confirmed it had been hacked “about a month ago,” but said that none of the affected data was critical. Vyncs owner Agnik said it had detected its breach on April 2 but declined to comment on the nature of the data stolen by the hackers.
Both Tri-Rail and Agnik said the FBI was involved, with Agnik saying in an email that the bureau “has a pretty good understanding of who these criminals are.” Unimac did not return messages seeking comment.
The group behind Ababil has hacked other organizations whose identity it has not publicized, Gambit Security said, citing its analysis of other data left online by the spies. Sela said they included a media organization and educational institution in Israel and an insurance brokerage in Turkey, but he declined to identify them further.
Iranian hackers have allegedly carried out a drumbeat of digital operations since the US and Israel launched a war against Iran in late February, including a damaging attack on the medical device company Stryker and the leak of personal emails belonging to FBI Director Kash Patel. Iranian hackers are also suspected of having remotely tampered with fuel gauges at gas stations, CNN reported earlier this month.
